The European Commission’s General Data Protection Regulation (GDPR) Evaluation Report of June 2020, declares the GDPR a success. However, it concedes that there is still more work to do. The EU is proud that the law is now a reference point and a catalyst for many countries around the world to modernise their data protection rules. Businesses, including SMEs, can comply with unified rules on a more level playing field. The general level of GDPR awareness among European citizens stands at between 69% and 71%. Conversely, 30% of EU citizens are not sufficiently engaged with data protection. This is a concern in an increasingly data-driven and artificial intelligence led future. The EU boasts that GDPR is future-proof and provides important and flexible tools to ensure data protection / privacy by design and security by design as new technologies develop.
Since May 2018, there have been challenges to the uniform application of GDPR at EU level and in each EU country:
- Between May 2018 and November 2019, 22 EU/EEA GDPR regulators issued 785 fines. However, most fines have been relatively modest and were mainly issued against the public sector and small companies.
- The handling of cross-border cases has not been as efficient or cohesive as intended. Differences persists in national administrative and court procedures, varying interpretations of key GDPR concepts and how and when to activate cooperation procedures.
- Slovenia has not yet enacted new GDPR laws or updated older data protection laws and so is a weak link in EU-wide compliance.
- Ireland and Luxembourg which hosts large global company headquarters have not received sufficient national funding and resources to meet their significant GDPR regulatory responsibilities.
- The EU’s GDPR regulators acting as the European Data Protection Board (EDPB) mutually assist each other, but the consistency mechanism’s key dispute resolution and urgency procedures have not yet been used.
Priorities and Actions
EU institutions, GDPR regulators and national governments have been tasked with the following actions:
- National governments should ensure that national laws and sector rules, are fully in line with the GDPR.
- National governments should provide GDPR regulators with the necessary human, financial and technical resources to properly enforce the data protection rules and liaise with stakeholders, citizens and SMEs.
- GDPR regulators should develop efficient working arrangements and increase the functioning of the cooperation and consistency mechanisms.
- GDPR regulators should closely monitor how GDPR applies to new technologies such as Artificial Intelligence, Internet of Things, Blockchain, scientific research and other technologies and the EDPB will issue guidance on these topics.
- The European Commission should continue to promote the convergence of data protection rules to ensure safe international data flows. This could include new or updated data protection laws or adopting the Data Free Flow with Trust (DFFT) concept internationally.
- The European Commission should continue data protection adequacy discussions with non EU/EEA third-countries.
- The European Commission will modernise and expand international data transfer mechanisms by updating the EU’s data protection Standard Contractual Clauses (SCCs) and certification mechanisms.
- The EDPB will clarify the procedural steps to improve cooperation between the lead data protection authority and the other GDPR regulators involved in shared activities.
- The EDPB will streamline the assessment and approval processes for Binding Corporate Rules (BCRs) to speed up the process.
- The EDPB will complete work on the architecture, procedures and assessment criteria for codes of conduct and certification mechanisms as tools for international data transfers.
The EU believes that the GDPR’s future-proof and technology-neutral approach was tested by the Coronavirus Covid-19 pandemic and has proven to be successful. GDPR principles provided a useful framework to support the development of tools to combat and monitor the spread of the virus. This future-proof and risk-based approach will apply to the EU’s framework for Artificial Intelligence and the European Data Strategy. The overall aim is that GDPR becomes fully incorporated into the EU’s digital policy, data governance, data ethics, digital transformation, cybersecurity and pandemic recovery plans and initiatives. The EU’s strategy is also international, including engagement with African and Asian partners and inter-governmental bodies to promote regulatory convergence and support capacity-building within data protection regulators globally. There is also a plan to promote greater international enforcement cooperation between data privacy regulators, including signing cooperation and mutual assistance agreements.